A debate recently arose within our technical teams, which I feel reflects an industry topic that merits discussion. The term “cybersecurity” has taken on prominence, particularly with the general public, and also with commercial customers. It appears in news headlines, books and more recently, as a corporate initiative rallying cry. Yet for our security specialists, who spend their days deep within industrial systems, the standalone term “cyber” has distinct connotations.
In this column, I’d like to introduce the various perspectives on cybersecurity as a moniker, share some illuminating data, and present a vernacular to move our field forward. First, a technical set of viewpoints on the layman’s use of cybersecurity:
Cybersecurity is positioned as a subset of information security (InfoSec): “Cybersecurity is the process of applying security measures to ensure confidentiality, integrity, and availability of data.” This hierarchy and definition, argues one of our R&D specialists, limits the role of protection to that of information (data) only.
In fact, in our industrial network experiences, we have found that commands and system controls require deeper defensive measures. Information security is just one facet, and it’s not the same as the term might imply in information technology (IT) situations.
In operations technology (OT) environments, information protection frequently requires a trade-off among the prioritization of confidentiality, integrity and availability. An example of this prioritization is user account lockout due to failed password attempts. This feature intentionally compromises availability of the system – the user gets locked out – to ensure the confidentiality of data in the case of a password brute-forcing attempt.
Industrial security policies must apply a different priority. Locking out a user account may be acceptable in an enterprise environment, but locking out those who control a gas turbine or oil wellhead during operation – especially during an emergency – is completely unacceptable. System availability and integrity is always the priority, necessitating a more sophisticated approach to access control and separation of privilege than that of an IT system of similar scope. The term cybersecurity, in these situations, must stretch beyond information security, as well as acknowledge the serious digital-physical trade-off considerations that can affect human safety.
We also surmised that the use of “cyber” was spawned by the rise of the Internet, to reflect “online” or browser activities, and perhaps the industry has held onto it ever since. Where this generates angst for a security adviser is that “cyber” thus refers only to a distinct public network or collection of computers tied together for public use.
What about the myriad of private-public or intra-company connectivity paths that are prevalent in today’s industrial environments? Are we enabling a blind spot, implying that only public networks introduce threats into critical assets such as water treatment plants or vaccine production facilities?
In reality, as many a penetration tester knows, a simple USB stick coming through the control room door can present as much risk as any Internet browser. In addition, once a system within the perimeter is initially compromised, lateral movement within the system – leveraging control system specific technology and exfilteration using egress communication, such as OPC-DA – is also possible. From the control system, file shares and DNS via the enterprise can connect to the Internet, but that is not historically what the term “cyber” has implied.
Now, onto some illuminating data.
As engineers do, we looked for data to sort through the opinions and get closer to “facts.” By reviewing Google N-Grams, which scan thousands of books from 1800-2008 to count citations of any term typed in, here’s what we found:
The term “cyber” has been used in at least ten different variants over almost 40 years, reflecting cafes with access to the Internet (cyber cafes) to my company’s raison d’etre (cybersecurity). From around 1976-1982 (there is a smoothing function that changes years slightly), it was in use, but particularly from 2000 on, it began to increase steadily in its prevalence. Directly above and below “cyber security” in this period are its corollary evil twins – “cyber crime” and “cyber attacks.”
Certainly, all data is skewed based on the methodology used and important nuances. But as an initial scan for argument sake, the data is fascinating.
As for Information Security, at least according to Ngrams, it is more predominantly cited than cybersecurity. Yet, it has similarities in its peak times. Some could argue this supports the belief that cyber is viewed as just a subset of information security.
What about the same Ngram view for “Internet,” if that’s the reason we use “cyber” still today?
The “Internet” term came into use after “cyber,” rising notably from the 1990s, with an interesting drop-off after 2000. Could “cyber” have overtaken “Internet” after 2000? Or is there zero correlation between the two terms?
From my perspective as a technologist, I tend to look forward, not backward, despite the obvious intrigue of the Ngram experiment. What’s most important, of course, is that customers mitigate the changing threat landscape as OT networks increase connectivity and air gaps disappear.
Recently, academics and government institutes have started using the term “cyberphysical security” (which is not yet appearing on Ngrams, in case you were wondering). To me, cyberphysical better aligns to our Wurldtech security approach by going beyond embedded systems and “just IT” or “just OT” analysis, to holistically mitigating risk across industrial environments.
As the IEEE describes it, “In contrast to cyber security, the goal of cyber-physical security is to protect the whole cyber-physical system, which uses widespread sensing, communication and control to operate safely and reliably.” And from the National Science Foundation, it represents “engineered systems that are built from, and depend upon, the seamless integration of computational algorithms and physical components.”
Understanding the enormous investment in the Industrial Internet, there is no doubt that previously closed devices, systems and equipment will evolve their connectivity and sensory capabilities. And with this will come advanced levels of risk. For our security researchers, it will be less about how to describe what we do – cybersecurity, cyberphysical security – than it will be about continually expanding how we discover and protect against new types of threats affecting our industrial customers.
In my next column, I’ll talk more about methodologies organizations can employ to institute a culture of cyberphysical security.